Working in the anti-virus industry requires a good stock of tin foil hats to hand out to some strange conspiracy theorists. The fact is that the anti-virus industry didn’t name a worm “Kama Sutra”, the media did. The AV industry didn’t name the worm “Blackworm”, that was a group (TISF BlackWorm task force) from a pair of security lists called MWP (Malicious Websites and Phishing) and DA (Drone Army). Blackworm is a bit easier to remember than VB.NEI, or most of the other names this one goes by. Ultimately I believe that Mitre showed their metal with the Common Malware Enumeration (CME) system. We can all say CME-24 and know we are talking about the same item. This became quite handy when talking to people whose products call CME-24 by the names VB.NEI, Nyxem, Blackmal, and the lot. And yet, the AV industry is accused of a conspiracy to hype things up. Silly…

The Real Conspiracy.

(Thunder, lightening, and a smoldering cigar please.)

The DA and MWP lists, coordinated and moderated by Gadi Evron, consist of security professionals who work in most any industry that has a role in internet security. Member of law enforcement, ISPs, ASPs, education, and security vendors all are represented. I’m sure I forgot a few, like ESET, Microsoft and various CERTs. This group of people has conspired with many others to attempt to warn users about CME-24 in an effort to mitigate the harmful effects of the worm. I know - I was on a conference call today where we all shared information about efforts to deal with the problem. Here’s some of what we heard…

Dr. Johannes Ullrich (SANS ISC) and Prof. Randy Vaughn (Baylor University) both spent a week tracking down which ISPs had infected users, and then contacting these ISPs to help them help their users. Much of their work involved tedious work parsing logs that the worm creates. Joe Stewart, Senior Security Researcher with LURHQ (http://www.lurhq.com/) assisted in the effort and provided analysis of the worm very early on and updated the large group on a variety of facets of his work. ) assisted in the effort and provided analysis of the worm very early on and updated the large group on a variety of facets of his work.We heard from KRCert, the Korea Computer Emergency Response team that this worm is not as wide spread as some have been in the past, but Alex Shipp (MessageLabs), and others have warned that they are seeing particularly large numbers of infection indications coming from India. It’s not going to be pretty there. My former co-worker, Greg Galford from Microsoft let us know that call volumes from Asia (it is already the 3rd there, are not above normal. Good news there.

Additionally, you better have some anti-virus software on your PC, CME-24 detection isn’t being added to the Malicious Software Removal tool until the usual monthly update time. This makes sense - the security vulnerability is users clicking on attachments they shouldn’t. There is no Microsoft vulnerability at work and the MSRT is not a replacement for anti-virus. I invited people from competing anti-virus companies to join the call (I know conspiracy written all over it) and several people did contribute to the conversation. I felt that we did a great job, but suggested we do a better job with naming next time. None of the anti-virus companies were calling CME-24 "Blackworm" so we probably should have gone with something that was already being used. The FBI had a representative on the call who indicated that they have received some good leads in recent days.

Yes, I admit it. The conspiracy is larger than previously disclosed in public. Microsoft, The FBI, ISPs, Registrars, ASNs, Anti-Virus, US-CERT, UNIRAS (UK), FIRST, SANS ISC and MANY, MANY other security people and groups from a variety of industries and all over the world are working together to try to help minimize the damage fro this worm. What’s worse is that we’ve been doing this type of thing for years and will continue to get better at it. This conference call, and a smaller one a week earlier (also organized by Gadi Evron) not only have helped protect users, but significantly contribute to enhancing collaboration between security professionals from a diverse array of security disciplines. Yeah, there’s a conspiracy for you. By the way, I think the CIA might have been listening to the call, but my phone was wrapped in foil. I don’t think they heard me.

Randy Abrams
Director of Technical Education
ESET LLC